New EU cybersecurity law – is it fair?

Last Thursday the European Parliament voted to pass the NIS directive, which aims to ensure a high common level of Network and Information Security (NIS) across the EU. According to the initial NIS proposal, critical infrastructure, public administrators and key internet enablers will be required to report incidents with a significant impact on core services to competent authorities, as well as assess the risk they face and adopt appropriate and proportionate measures to combat them. NIS is beneficial to all EU countries as it boosts trust in the safety of the EU internal market.

Once enacted, the directive will be applicable to all European Members States, but each member will decide how it will then be written into national law, so sanctions will differ from country to country.

According to the Commission, 75% of small businesses and 93% of large companies were the victim of cyber attacks in Europe in 2012. Those figures are only likely to grow in line with the increasing sophistication of cyber crime, especially if companies don’t start protecting their infrastructure and customer’s data better. In January 2014 the European Commission opened the Cybercrime Centre in the Netherlands, the aim of which is to boost internet security and defend the free and open internet. Although the initial NIS proposal only involved critical infrastructure, all public administrators and key internet enablers will now be required to report cyber attacks. However the law only extends to companies that own, operate or provide technology for critical infrastructure facilities, meaning that e-commerce giants like Amazon, eBay, Google and Skype will be under no obligation to report cyber attacks.

Nowadays everyone uses these e-commerce portals, so why won’t they be required to report cyber attacks?

In my opinion, every company in Europe should report every cyber attack.. Almost all of us have accounts and profiles with them, so it would benefit every European citizen if breaches were reported and treated accordingly. The 2012 Eurobarometer survey showed that almost a third of Europeans do not feel safe using the internet for banking or e-commerce, but if e-commerce companies were to report data breaches and make public the attacks they incurred then we would be more aware and more careful when purchasing online.

Should the reporting of cyber crime be mandatory or voluntary?

It seems to me that a voluntary approach to cyber crime reporting will not provide enough protection against incidents and risks. Citizens will not feel protected if cyber security is left to the discretion of companies rather than mandatory by the government. On the other hand, stakeholders believe that a mandatory approach to reporting will amount to little more than a box-ticking exercise and cyber security will not be taken as seriously as it ought to be.

Raising cyber security awareness

Awareness is key in the fight against cyber crime. How can you protect your information, if you don’t know what the threats are?